Category Archives: Cloud

Azure Monitor: introduction to monitor service for virtual machines

In Azure Monitor was introduced a new service that allows you to monitor virtual machines, called Azure Monitor for VMs. This service analyzes the performance data and the status of virtual machines, makes the monitor of the installed processes and examines its dependencies. This article shows the characteristics of the solution and describes the procedure to be followed to effect the activation.

Features of the solution

The service Azure Monitor for VMs is divided into three different perspectives:

  • Health: the logical components present on board of the virtual machines are evaluated according to specific pre-configured criteria, generating alerts when certain conditions are met. This feature, at the moment, is present only for systems that reside in Azure.
  • Performance: shows summary details of performance, from the guest operating system.
  • Map: generates a map with the interconnections between the various components that reside on different systems.

This solution can be used on Windows and Linux virtual machines, regardless of the environment in which they reside (Azure, on-premises or at other cloud providers).

Azure Monitor for VMs requires the presence of a workspace of Log Analytics. Since this is a feature currently in preview, workspace are supported in these regions: West Central US, East US, West Europe and Southeast Asia. Enabling a Log Analytics workspace can occur according to these modes:

To identify the operating systems that are supported by this solution, please visit the Official Microsoft documentation.

 

How to enable Azure Monitor for VMs

To enable the solution for a single virtual machine, from the Azure Portal, it is possible to proceed by accessing the section Insights from the virtual machine:

Figure 1 – Enabling Azure Monitor for VMs on a single VM

Enabling the solution on a single virtual machine it is possible to choose which Log Analytics workspace use and possibly create a new one. The advice is to precede before with the creation of workspace, so you can assign a meaningful name. The workspace of Log Analytics must be configured as follows:

  • You must have installed the solutions ServiceMap and InfrastructureInsights. The installation of this solutions can be done via JSON templates, according to the instructions in this document.

Figure 2 – Presence of solutions ServiceMap and InfrastructureInsights

Figure 3 – Collecting the performance counters enabled on Log Analytics workspace

Azure Monitor for VMs requires Log Analytics agent on virtual machines, also the functionality of Map requires the installation of the Microsoft Dependency agent. This is an additional agent which relies on Log Analytics agent for the connection to the workspace.

If you want to enable the solution for systems in Azure, you can activate the Dependency agent using the appropriate extension, that do the installation. For virtual machines that reside on Azure you must install it manually or via a solution that automates the deployment (such as System Center Configuration Manager).

To enable this feature automatically on new virtual machines created in Azure environment and achieve a high level of compliance you can also use the Azure Policy. Through the Azure Policy you can:

  • Deploy the Log Analytics and Dependency agent.
  • Having a report on the status of compliance
  • Start remediation actions for non-compliant VMs.

Figure 4 – Adding an Assignment

Figure 5 - Initiative definition to enable Azure Monitor for VMs

Figure 6 - Check of the state of compliance of the Policy

 

Consulting data collected from the solution

To analyze and identify critical operating system events, detect suboptimal performance and network issues, you can refer to the data provided by this solution directly from VM or using Azure Monitor, in case you want to have an aggregated view of the various virtual machines. All this allows you to detect and identify if problems are related to specific dependencies on other services.

Figure 7 – State of Health of a single virtual machine

Figure 8 – Performance gathered from multiple VMs, accessible by Azure Monitor

Figure 9 – Dependencies Map of various services present on VMs, accessible by Azure Monitor

For more information about using the features of Health you can consult this Microsoft documentation, while the article View Azure Monitor for VMs Map shows how to identify and analyze the dependencies detected from the solution.

Costs of the solution

By activating the solution Azure Monitor for VMs, the data collected by the virtual machines are sent and maintained in Azure Monitor and can depend on several factors, such as the number of logical disks and network adapters. The costs are those related to Azure Monitor, which has costs on the basis of the following elements:

  • Data ingested and collected.
  • Number of health monitored criteria.
  • Alert rule created.
  • Notifications sent.

 

Conclusions

The service Azure Monitor for VMs allowing you to have a fully integrated tool in Azure to monitor the virtual machines and to obtain a complete control of systems, regardless of where they reside. This solution is also particularly useful to conduct troubleshooting operations in a simple and immediate way. This service, although it is currently in preview, is already full enough and it will be enriched soon with new features.

How to reduce the cost of the cloud with Microsoft Azure

The evolution of the data center allows us to have solutions completely in the public cloud or hybrid scenarios where, the decision to use resources in the cloud, in addition to functional factors, must necessarily be made taking into consideration the fundamental aspect of costs. This article lists the directions that you can follow to achieve cost savings, maintaining their own application workloads on Azure.

Azure Reservations

The cost of various Azure services is calculated on the basis of resource usage and you can make an estimate of the cost by using the Azure pricing calculator.

If, of Azure resources in the environment, is done a continuous use is possible to evaluate the activation of Azure Reservations.

The Azure Reservation allow you to achieve cost savings up to 72% compared to the pay-as-you-go price , simply prepay in advance for one or three years the use of Azure resources. Currently, Azure resources that allow to obtain these discounts are: virtual machines, Azure SQL Database, Azure Cosmos DB and SUSE Linux. The purchase of this reservation can be made directly from the portal Azure and is feasible for customers who have the following types of subscription:

  • Enterprise agreement: in this area are not contemplated resources residing in Dev/Test subscription. It is possible to draw upon the Azure Monetary Commitment to purchase the Azure Reservation.
  • Pay-As-You-Go.
  • Cloud Solution Provider (CSP): in this case the purchase is feasible even from the Partner Center.

Among the Azure reservation there are:

  • Reserved Virtual Machine Instance: the reservation covers only the virtual machine's computational costs, and it does not cover the additional costs from software installed aboard the VM, from networking, or from storage utilization.
  • SQL Database reserved vCore: also in this case includes only computational costs, while the licenses are billed separately.
  • Azure Cosmos DB reserved capacity: the reservation covers the actual throughput of the resource, but does not cover the expected costs of storage and networking.
  • Suse Linux: saves on SUSE Linux Enterprise license costs.

How to buy the Azure Reservations from the Azure Portal

To purchase Reservations from Azure portal it is possible to follow the procedure given below.

Figure 1 – Adding Azure Reservation from portal and type selection

Figure 2 – Configuration of the parameters required for the Reserved Virtual Machine Instances

Figure 3 – Summary of Azure Reservations purchased

For more details about how the Reservation affect the calculation of Azure costs, you can consult the following Microsoft documents:

Hybrid Benefit

Another option to consider for reducing Azure costs is the use ofAzure Hybrid Benefit, that saves up to 40% on the cost of Windows Server virtual machines that are deployed on Azure. The savings is given from the fact that Microsoft allows you to pay only the cost of Azure infrastructure, while the licensing for Windows Server is covered by Software Assurance. This benefit is applicable both to the Standard and Datacenter version and is available for Windows Server 200 R2 or later.

Figure 4 – Cost structure for a Windows VM

The Azure Hybrid Benefit can be used in conjunction with the Azure Reserved VM Instance, allowing overall savings that can reach 80% (in the case of purchase of Azure Reserved Instance for 3 years).

Figure 5 – Percentages of savings by adopting RIs and Azure Hybrid Benefit

If you are not in the condition to use Azure Hybrid Benefit, the cost of Windows Server licensing is calculated based on usage time of the virtual machine and according to the number of cores.

The Azure Hybrid Benefit can also be used for Azure SQL Database and SQL Server installed on Azure virtual machines. These advantages facilitate the migration to cloud solutions and help to maximize the investments already made in terms of SQL Server licenses. For more information on how you can use the Azure Hybrid Benefit for SQL Server you can view FAQ in this document.

The cost savings, guaranteed by the use of Azure Hybrid Benefits, can be estimated using the tool Azure Hybrid Benefit Savings Calculator.

Recently Microsoft has conducted studies on the costs to be incurred to enable Windows Server and SQL Server in the cloud that highlight how, thanks to the use of Azure Reservations and Azure Hybrid Benefit, AWS is up to 5 times more expensive than Azure. The comparative between Azure and AWS costs is easily possible to evaluate with the instrument Azure vs.. AWS Cost Comparison.

Conclusions

Azure is definitely the most cost-effective choice to host in particular Microsoft workloads, being able to have lower cost thanks to the advantages provided by the Azure Reservation and the Azure Hybrid Benefit. In addition, thanks to the tool Azure cost management, made available for free to all Azure customers, you have the ability to monitor and optimize the costs of various Azure services.

OMS and System Center: What's New in November 2018

Microsoft announces constantly news about Operations Management Suite (OMS) and System Center. Our community releases this monthly summary that gives you a comprehensive overview of the main news of the month, to stay up to date on these topics and have the necessary references to conduct further investigation.

Operations Management Suite (OMS)

Azure Monitor

SQL Data Warehouse now allows you to send diagnostic information to a workspace of Log Analytics. This setting allows developers to better analyze the behavior of their application workloads to optimize queries, to better manage the use of resources and undertake troubleshooting operations.

Figure 1 – SQL Data Warehouse Diagnostics settings

Log Analytics

Starting from 1 February 2019 changes are foreseen regarding service-level agreements (SLAs) for Log Analytics and Application Insights (which are now part of Azure Monitor). The new SLAs refer to the availability of the query (Query Availability SLA) that for a given resource will be of 99.9 %. Previously, SLAs were referring to data latency (Data latency SLA).

Agent

This month the new version ofOMS agent for Linux systems fixes important bugs and improves stability. To obtain the updated version of the OMS agent you can access to the official GitHub page OMS Agent for Linux Patch v 1.8.1-256.

Figure 2 – Bug fixes and what's new for the OMS agent for Linux

Azure Backup

For Microsoft Azure Backup Server has been released version 3 (MABS V3), which includes important bug fixes, introduces support for Windows Server 2019 and SQL Server 2017, and introduces new features and improvements including:

  • Support for the protection of VMware virtual machines for production environments.
  • Use TLS 1.2 for communications between MABS and protected servers, for certificate-based authentication, and for cloud backups.

The MABS V3 code is based on the System Center Data Protection Manager 1807. To get more information about it, please consult the Knowledge Base Microsoft Azure Backup Server v3.

Azure Site Recovery

In Azure Site Recovery was introduced support for the firewall-enabled storage accounts. Thanks to this support you can replicate to another region, for disaster recovery purposes, virtual machines with unmanaged disks, residing on firewall-enabled storage accounts. The firewall-enabled storage account can also be selected as a storage target for unmanaged disks. You can also restrict access to the cache storage account, so that you can write only by the virtual network that host virtual machines. In these cases it is necessary to enable the exception as described in Microsoft documentation Allow trusted Microsoft services.

 

System Center

System Center Configuration Manager

For the Current Branch (CB) of System Center Configuration Manager has been releasedupdate 1810, that introduces new features and major improvements in the product.

The main novelty of this update reveals the possibility for Central Administration sites and child primary sites to have an additional site server in passive mode, on-prem or on Azure.

Figure 3 – Site server High Availability Architecture

For a complete list of new features introduced in this version of Configuration Manager you can consult the official documentation.

System Center Operations Manager

Following, are reported the news about the following SCOM Management Packs:

  • Windows Server Cluster 2016 and 1709 Plus version 10.6.6
  • Windows Print Server 2016 and 1709 more version 10.6.1
  • Windows Server Network Load Balancing 2016 and 1709 plus versione 10.2.1
  • Internet Information Service 2016 and 1709 Plus version 10.9.1
  • Windows Server DNS versione 10.9.2
  • Windows Server DHCP 2016 and 1709 Plus version 10.11.0
  • Active Directory Federation Services version 10.3.0
  • Active Directory Federation Services 2012 R2 version 1.10172.1
  • Skype for Business Server 2019 version 2046.19
  • Windows Server 2012 DHCP version 6.0.7307.0
  • UNIX and Linux Operating Systems versione 7.7.1136.0
  • Microsoft Windows Server File & iSCSI Services 2012 R2 version 7.1.10100.2
  • Microsoft Windows Server File & iSCSI Services 2016 and 1709 More version 10.0.0.0

 

Evaluation of Azure and System Center

To test and evaluate free of charge the services offered by Azure you can access this page, while to try the various System Center components you must access theEvaluation Center and, after registering, you can start the trial period.

How to monitor Office 365 with Azure Log Analytics

In Azure Log Analytics is available a specific solution that consolidates within the Log Analytics workspace different information from the environment Office 365, making the consultation of the data simple and intuitive. This article will look at the characteristics of this solution and It will illustrate the steps to follow for the relative activation.

Features of the solution

The solution allows you to use Log Analytics to perform the following tasks related to Office 365:

  • Monitor the activities carried out by administrators, in order to track changes to configurations and operations that require elevated privileges.
  • Analyze the activities of account in Office 365 in order to identify behavioral trends and monitor resource utilization. For example, you can determine which files are shared outside your organization or check the most used SharePoint sites.
  • Provide support in audits and compliance. It is possible for example to control access to specific files that are considered confidential.
  • Identify any unwanted behaviors that are performed by users, based on specific organizational needs.
  • Play easier troubleshooting tasks that become necessary in your environment Office 365.

To enable this solution you must have an account with the role Global Administrator. For a single Log Analytics workspace you can connect multiple subscriptions Office 365. In case you want to merge in the Log Analytics workspace also the Audit events of Office 365 you must enable auditing on the subscription Office 365, by following the steps in this documentation.

Figure 1 – Enabling Office 365 audit

Solution activation

To enable theOffice 365 Management solution You must follow these steps. The solution collects data directly from Office 365, without the iteration of any agent of Log Analytics.

Figure 2 – Access to Workspace summary from the Azure portal and adding solution

Figure 3 - Selection of the solution of Office 365

Figure 4 – Selection of the workspace to use

The solution requires the presence of an Azure Active Directory application, configured as reported later, which is used to access data in Office 365.

Figure 5 – Adding a new App registration in Azure AD

Figure 6 – Creation of the App registration required for solution

Figure 7 – Enable Multi-tenanted

Figure 8 -Added API Access for Office 365 Management APIs

Figure 9 - Selection of permission for Office 365 Management APIs

Figure 10 – Assignment of permissions

To be able to configure the solution is required a key for the Azure Active Directory application created.

Figure 11 – Generating a key for the application

At this point, you must run the PowerShell script office365_consent.ps1 which enables administrative access. This script is available at this link.

Figure 12 - Command line example for the execution of the script office365_consent.ps1

Figure 13 - Request for administrative approval

The last step needed to complete activation is the script PowerShell office365_subscription.ps1, also available at this link, which subscribes the Azure AD application to the Log Analytics workspace.

Figure 14 - Command line example for the execution of the script office365_subscription.ps1

After the initial configuration may take several minutes to display the data from Office 365 in Log Analytics. All records created by this solution in Log Analytics have the Type in OfficeActivity. The value contained in the property OfficeWorkload determines which Office Service 365 refers: Exchange, Azure Active Directory, SharePoint, or OneDrive. In the property RecordType instead, is showed the type of operation performed.

The solution adds to the dashboard the following tile:

Figure 15 - Tile Office 365

When selected it will open the specific dashboard, which divides the various services activities collected from Office 365.

Figure 16 – Dashboard of Office 365

Of course you can also perform specific queries to suit your needs:

Figure 17 - Examples of queries to return specific records collected by the solution

 

Conclusions

The collection in Log Analytics of activities carried out in Office 365 allows granular control of the environment, in order to satisfy at best and with a single instrument to regulations concerning auditing and compliance.

Azure File Sync: solution overview

The Azure File Sync service (AFS) allows you to centralize the network folders of your infrastructure in Azure Files, allowing you to maintain the typical characteristics of a file server on-premises, in terms of performance, compatibility and flexibility and at the same time to benefit from the potential offered by cloud. This article describes the main features of the Azure File Sync service and the procedures to be followed to deploy it.

Figure 1 – Overview of Azure File Sync

Azure File Sync is able to transform Windows Server in a "cache" for quick access to content on a given Azure file share. Local access to data can occur with any protocol available in Windows Server, such as SMB, NFS, and FTPS. You have the possibility to have multiple "cache" servers in different geographic locations.

These are the main features of Azure File Sync:

  • Multi-site sync: you have the option to sync between different sites, allowing write access to the same data between different Windows Servers and Azure Files.
  • Cloud tiering: are maintained locally only recently accessed data.
  • Integration with Azure backup: becomes invalid the need to back up data on premises. You can get content protection through Azure Backup.
  • Disaster recovery: you have the option to immediately restore metadata files and retrieve only the data you need, for faster service reactivation in Disaster Recovery scenarios.
  • Direct access to the cloud: is allowed to directly access content on the File Share from other Azure resources (IaaS and PaaS).

 

Requirements

In order to deploy Azure File Sync, you need the following requirements:

A Azure Storage Account, with a file share configured on Azure Files, in the same region where you want to deploy the AFS service. To create a storage account, you can follow the article Create a storage account, while the file share creation process is shown in this document.

A Windows Server system running Windows Server 2012 R2 or later, who must have:

  • PowerShell 5.1, which is included by default since Windows Server 2016.
  • PowerShell Modules AzureRM.
  • Azure File Sync agent. The setup of the agent can be downloaded at this link. If you intend to use AFS clustered environment, you should install the agent on all nodes in the cluster. In this regard Windows Server Failover Clustering is supported by Azure Sync Files of deployment type “File Server for general use”. The Failover Cluster environment is not supported on “Scale-Out File Server for application data” (SOFS) or on Clustered Shared Volumes (CSVS).
  • You should keep the option "Internet Explorer Enhanced Security Configuration" disabled for Administrators and for Users.

 

Concepts and service configuration

After confirming the presence of these requirements the Azure File Sync activation requires to proceed with the creation of the service Storage Sync:

Figure 2 – Creating Storage Sync service

This is the top-level resource for Azure File Sync, which acts as a container for the synchronization relationships between different storage accounts and multiple Sync Group. The Sync Group defines the synchronization topology for a set of files. The endpoints that are located within the same Sync Group are kept in sync with each other.

Figure 3 – Creating Sync Group

At this point you can proceed with server registration by starting the agent Azure File Sync.

Figure 4 – Initiation of the process of Sign-in

Figure 5 – Selection of server registration parameters

Figure 6 – Confirmation of registration of the agent

After the registration the server will also appear in the "Registered servers" section of the Azure portal:

Figure 7 – Registered servers into Storage Sync service

At the end of the server registration is appropriate to insert a Server Endpoints within the Sync Group, which integrates a volume or a specific folder, with a Registered Server, creating a location for the synchronization.

Figure 8 – Adding a Server Endpoint

Adding a Server Endpoint you can enable Cloud tiering that preserves, locally on the Windows Server cache, most frequently accessed files, while all the remaining files are saved in Azure on the basis of specific policies that can be configured. More information about Cloud Tiering capabilities can be found in the Microsoft's official documentation. In this regard, it is appropriate to specify that there's no support between Azure File Sync with enabled cloud tiering, and data deduplication. If you want to enable Windows Server Data Deduplication, cloud tiering capabilities must be maintained disabled.

After adding one or more Server Endpoint you can check the status of the Sync Group:

Figure 9 – Status of Sync Group

 

To achieve successful Azure File Sync deployment you should also carefully check compatibility with antivirus and backup solutions that are used.

Azure File Sync and DFS Replication (DFS-R) are two data replication solutions and can also operate in side-by-side as long as these conditions are met:

  1. Azure File Sync cloud tiering must be disabled on volumes with DFS-R replicated folders.
  2. The Server endpoints should not be configured on DFS-R read-only folders.

Azure File Sync can be a great substitute for DFS-R and for the migration you can follow the instructions in this document. There are still some specific scenarios that might require the simultaneous use of both replication solutions:

  • Not all on-premises servers that require a copy of the files can be connected to the Internet.
  • When the branch servers consolidate data in a single hub server, on which is then used Azure File Sync.
  • During the migration phase of deployment of DFS-R to Azure File Sync.

Conclusions

Azure File Sync is a solution that extends the classic file servers deployed on-premises with new features for content synchronization, using the potential of Microsoft public cloud in terms of scalability and flexibility.

Microsoft Azure: guide for the choice of the Region

Microsoft Azure is located in different places around the world and is the first to have datacenters in more geographical areas than any other cloud providers. This aspect provides a wide scalability, necessary to deliver applications in proximity of the geographical location of users, while preserving the residence of data and providing compliance and resiliency options. You can choose, between different Azure regions, where activate your services, undoubtedly has many advantages, but it is worth considering different aspects when you are faced with this choice. In this article we will be carried over the main elements that should be taken into account in the choice of the region of Azure.

A region in Azure consists of multiple datacenters residing in a specific geographical area and that are connected to each other through a low-latency network. To see the complete list of the Azure regions you can access the page Azure locations. Within a region are present physically distinct location denominated Availability Zones. Each Availability Zone is composed of multiple datacenters equipped independently of the others regarding the power, cooling systems and networks. Each region is paired with another region within the same geographical area, in order to preserve the data resiliency and increase compliance levels.

Figure 1 – Pair regions and Availability Zones within the same data residency boundary

Figures 2 – Azure regional pairs

The choice of the Azure region must be done carefully taking into consideration some key aspects, each of which can have a decisive influence.

 

Performance

Definitely one of the predominant factors in choosing the region is given by the performance, that they are bound by the network latencies in reaching the Azure datacenters. Typically, you choose the region closest geographically, but you can't always identify easily. In support of this choice you can use some useful third-party tools that provide objective values:

  • Azure Speed Test 2.0: by accessing this site, you can measure the latency from your web browser to the various Blob Storage Service residing in various Azure regions.

Figures 3 – Result shown from Azure Speed Test

  • Azure Latency Test: shows the network latency from your location to different Azure regions, with the ability to easily apply filters.

Figures 4 – Result shown from Azure Latency Test

 

Availability of services

Not all Azure services are available in all regions, it follows that it is appropriate to check carefully whether the Azure service that you intend to use is offered in the selected region. To see the Azure services available in each region you can access this page, that allows you to quickly apply filters to check the availability of services offered for region.

 

Compliance laws and residence of the data

Many organizations are cautious in the approach to cloud computing because they need their data geographically reside in a certain territory. Maintain the confidentiality of data is essential for all, but for customers who have specific needs in terms of compliance and data-residency, Microsoft offers all the information you need:

  • Date residency: by accessing this web site you can get all the information about where the data resides, distinguishing between the services for which you choose the region they belong and those who do not provide this selection during deployment.
  • Compliance: in this portal are listed useful support information for customers who have to comply with specific regulations regarding the use, transmission and archive of data.

 

Costs

The costs of the various Azure services may vary depending on region. If the others factors are not decisive in choosing, It may be useful to consider to deploy services in the region where they are most economically advantageous. In order to verify the costs of different services you can access the Azure pricing page.

Conclusions

The choice of the Azure region most appropriate for their business needs, must necessarily be made taking into consideration the factors listed. Since this is a strategic choice and not easily editable, the advice is to carefully examine the items listed above, in order to design the best architecture in Microsoft Azure environment.

Azure Virtual WAN: introduction to the solution

Azure Virtual WAN is a new network service that allows you to optimize and automate the branch-to-branch connectivity through Azure. Thanks to this service you can connect and configure network devices in branch to allow communication with Azure (branch-to-Azure). This article examines the components involved in Azure Virtual WAN and shows the procedure to be followed for its configuration.

 

Figure 1 – Azure Virtual WAN overview

The Azure Virtual WAN configuration includes the creation of the following resources.

 

Virtual WAN

The Virtual WAN resource represents a virtual layer of Azure network and collect different components. It is a layering that contains links to all the virtual hubs that you want to have inside the Virtual WAN. Virtual WAN resources are isolated and cannot contain common hubs.

Figure 2 – Start the process of creating Azure Virtual WAN

Figure 3 – Creating Azure Virtual WAN

When creating the Virtual WAN resource you are prompted to specify a location. In reality it is a global resource that does not reside in a particular region, but you are prompted to specify it just to be able to manage and locate more easily.

By enabling the option Network traffic allowed between branches associated with the same hub allows traffic between the various sites (VPN or ExpressRoute) associated with the same hub (branch-to-branch).

Figure 4 – Branch-to-branch connectivity option

 

Site

The site represents the on-prem environment. You will need to create as many sites as are the physical location. For example, if you have a branch office in Milan, one in New York and one in London, you will need to create three separate sites, which contain their endpoints of network devices used to establish communication. If you are using Virtual WAN partner network equipment, provides solutions to natively export this information into the Azure environment.

Figure 5 – Creating a site

In the advanced settings you can enable BGP, which if activated becomes valid for all connections created for the specific site . Among the optional fields you can specify device information, that may be of help to the Azure Team in case of any future enhancements or Azure support.

 

Virtual Hub

A Virtual Hub is a Microsoft-managed virtual network. The hub is the core component of the network in a given region and there can be only one hub for Azure region. The hub contains different service endpoints to allow to establish connectivity with the on-prem environment. Creating a Virtual Hub involves the generation of a new VNet and optionally a new VPN Gateway. The Hub Gateway is not a classic virtual network gateway that is used for ExpressRoute connectivity and VPN and it is used to create a Site-to-site connection between the on-prem environment and the hub.

Figure 6 – Creating a Hub

Figure 7 -Association of the site with a Hub

The Hubs should be associated with sites residing in the same region where there are the VNet.

 

Hub virtual network connection

The resource Hub virtual network connection is used to connect the hub with the virtual network. Currently you can create connections (peering) with virtual networks that reside in the same region of the hub.

Figure 8 – Connection of the VNet to a hub

Configuring the VPN device on-prem

To configure the VPN on-prem device, you can proceed manually, or if you are using Virtual WAN partner solutions, the configuration of the VPN devices can occur automatically. In the latter case the device controller gets the configuration file from Azure and applies the configuration to devices, avoiding the need to proceed with manual configurations. It all feels very comfortable and effective, saving time. Among the various virtual WAN partners we find: Citrix, Riverbed, 128 Technology, Barracuda, Check Point, NetFoundry and Paloalto. This list is intended to expand soon with more partners.

By selecting Download VPN configuration creates a storage account in the resource group 'microsoft-network-[location]’ from which you can download the configuration for the VPN device on-prem. That storage account can be removed after retrieving the configuration file.

Figure 9 - Download the VPN configuration

Figure 10 – Download the configuration file on the storage account

After configuration of the on-prem device, the site will be connected, as shown in the following figure:

Figure 11 - State of the connected site

It also provides the ability to establish ExpressRoute connections with Virtual WAN, by associating the circuit ExpressRoue to the hub. It also provides for the possibility of having Point-to-Site connections (P2S) towards the virtual Hub. These features are now in preview.

The Health section contains useful information to check the connectivity for each Hub.

Figure 12 – Check Hub health

 

Conclusions

Virtual WAN is the new Azure service that enables centralized, simple and fast connection of several branch, with each other and with the Microsoft public cloud. This service allows you to get a great experience of connectivity, taking advantage of the Microsoft global network, which can boast of reaching different region around the world, more than any other public cloud providers.

Azure Security Center: introduction to the solution

Azure Security Center is a cloud solution that helps prevent, detect and respond to security threats that affect the resources and workloads on hybrid environments. This article lists the main characteristics and features, to address the use cases and to understand the potential of the instrument.

Key features and characteristics of Azure Security Center

  • It manages security policies centrally. It ensures compliance with the safety requirements to be imposed on business and regulatory. Everything is handled centrally through security policies that can be applied to different workloads.

Figure 1 – Policy & Compliance Overview

Figure 2 – Policy management

  • It makes Security Assessment. It monitors the situation continuously in terms of security of machines, networks, storage and applications, in order to identify potential security problems.
  • It provides recommendations that you can implement. Are given indications that are recommended to implement to fix the security vulnerabilities that affect your environment, before they can be exploited in potential cyber attacks.

Figure 3 – Recommendations list

  • It assigns priorities to warnings and possible security incidents. Through this prioritization you can focus first on the security threats that may impact more on the infrastructure.

Figure 4 – Assigning severity for each report

Figure 5 – Assigning severity for each potential security incident detected

  • It allows to configure your cloud environment in order to protect it effectively. It is made available a simple method, quickly and securely to allowjust-in-time access to system management ports and applications running on the VM, by applying adaptive controls.

Figure 6 – Enabling Just-in-time VM access

  • It provides a fully integrated security solution. Allows you to collect, investigate and analyze security data from different sources, including the ability to integrate with third-party solution.

Figure 7 – Integration with other security solutions

 

The Cost of the Solution

Security Center is offered in two different tiers:

  • Free tier. In this tier Azure Security Center is completely free and provides visibility into security of resources residing only in Azure. Among the features offered there are: basic security policy, security requirements and integration with third-party security products and services.
  • Standard tier. Compared to tier free adds enhanced threat detection (including threat intelligence), behavioral analysis, anomaly detection and security incidents and reports of conferral of threats. The tier standard extends the visibility on the security of the resources that reside on-premises, and hybrid workloads. Through machine learning techniques and having the ability to create whitelist it allows to block malware and unwanted applications.

Figure 8 – Comparison of features between the available pricing tiers

For the Standard tier, you can try it for free for 60 days after that, if you want to continue using the solution, you have a monthly fee for single node. For more information on costs of the solution you can access to the official page of costs.

Figure 9 – Standard tier upgrade screen

To take advantage of all the Security Center features is necessary to apply the Standard Tier to the subscribtion or to the resource group that contains the virtual machines. Configuring the tier Standard does not automatically enable all features, but some of these require specific configurations, for example VM just in time, adaptive control of applications and network detection for resources in Azure.

 

Basic principles of operation

The collection of security data from systems, regardless of their location, is via the Microsoft Monitoring Agent, that it provides to its sending to a Log Analytics workspace. Security Center requires a workspace on which you enabled the following solution according to tier chosen:

  • Free tier: the Security Center enables the solution SecurityCenterFree.
  • Standard tier: the Security Center enables the solution Security. If in the workspace is already installed the solution Security & Auditit is used and nothing else is installed.

To save the data collected from the Security Center you can use a Log Analytics workspace created by default or select a specific one associated with the relative Azure subscription.

Figure 10 – Configuration of the workspace of Log Analytics where you collect the data

Conclusions

Azure Security Center is an appropriate, mature and structured solution to meet the security requirements for cloud, on-premises, or hybrid environments. Thanks to several features covered provides the knowledge that Microsoft has matured in the management of its services, combining it with powerful new technologies, as machine learning and big data, to treat and manage consciously and effectively the security.

OMS and System Center: What's New in August 2018

In August have been announced, by Microsoft, a considerable number of news about Operations Management Suite (OMS) and System Center. Our community releases this monthly summary that gives you a comprehensive overview of the main news of the month, in order to stay up to date on these news and have the necessary references to conduct further study.

Operations Management Suite (OMS)

Azure Log Analytics

As already announced in the article The management of Log Analytics from the Azure portal Microsoft has chosen to abandon the OMS portal, in favour of the Azure Portal. The date announced for the final withdrawal of the OMS portal is the 15 January 2019. As a result of this choice also creation of new workspace of Azure Log Analytics can be performed only from the Azure Portal. Trying to create a new workspace from the old OMS portal you will be redirected to the Azure portal to complete the task. Have not made any changes to REST API and PowerShell to create workspaces.

Even the Advanced Analytics Portal is incorporated into the Azure Portal. At the moment you can access this portal by logging on to Logs (preview) available in the workspace of Log Analytics.

Figure 1 - Advanced Analytics available in the Logs (preview) from the Azure Portal

 

Azure Automation

Managing updates through Azure Automation Update Management sees the addition of a new option for the deployment of the updates. When creating or editing an update deployment is now an option the Reboot, that allows you to control whether and when reboot systems. For more information please visit the official technical documentation.

Figure 2 – Reboot option available in the update deployment

In the functionality of Change Tracking the following changes have been made:

  • To track changes and make the inventory of the files in the Windows environment now you can use: recursion, wildcards, and environment variables. In Linux there is already the support for recursion and wildcards.
  • As for the changes that are processed in files, both Windows and Linux, introduced the ability to display the content of the changes.
  • Introduced the possibility to reduce the frequency with which Windows services are collected (frequency is expressed in seconds and runs from a minimum of 10 seconds to a maximum of 30 minutes).

Agent

This month the new version ofOMS agent for Linux systems fixes some bugs and introduces an updated version for several core components, that increase the stability, the safety and improve the installation process. Among the various news is introduced the support for Ubuntu 18.04. To obtain the updated version of the OMS agent you can access to the official GitHub page OMS Agent for Linux Patch v 1.6.0-163. In the case the OMS agent for Linux systems has been installed using the Azure Extension and if its automatic update is active, this update will be installed independently.

Figure 3 – Bug fixes and what's new for the OMS agent for Linux

 

Azure Site Recovery

For Azure Site Recovery was released theUpdate Rollup 27 introducing new versions of the following components:

  • Microsoft Azure Site Recovery Unified Setup/Mobility agent (version 9.18.4946.1): used for replication scenarios from VMware to Azure.
  • Microsoft Azure Site Recovery Provider (version 5.1.3550.0): used for replication scenarios from Hyper-V to Azure or to a secondary site.
  • Microsoft Azure Recovery Services agent (version 2.0.9125.0): used for replication scenarios from Hyper-V to Azure.

The installation of this update rollup is recommended in deployments where there are components and their respective versions below reported:

  • Unified Setup/Mobility agent version 9.14.0000.0 or later.
  • Site Recovery Provider (with System Center VMM): version 3.3. x. x or later.
  • Site Recovery Provider (for replication without VMM): version 5.1.3100.0 or later.
  • Site Recovery Hyper-V Provider: version 4.6. x. x or later.

For more information on the issues resolved, on improvements from this Update Rollup and to get the procedure for its installation is possible to consult the specific KB 4055712.

 

In Azure Site Recovery was introduced support for enabling disaster recovery scenarios Cross-subscription, for IaaS virtual machines, as long as belonging to the same Azure Active Directory tenant. This feature is very useful because often you have environments that use different Azure subscriptions, created primarily to have greater control of costs. Thanks to this new support you can more easily reach business continuity requirements creating disaster recovery plans without altering the topology of the Azure subscriptions in your environment.

Figure 4 - VM replica configuration to a different subscription target

 

Azure Site Recovery now can integrate with Veritas Backup Exec Instant Cloud Recovery (ICR) with the release of Backup Exec 20.2. Using ICR, Backup Exec users are able to configure replication of VMs on-premises to Azure and easily operate the DR plan if necessary, reducing the Recovery Point Objective (RPO) and the Recovery Time Objective (RTO). Instant Cloud Recovery requires a subscription Azure and supports Hyper-V and VMware virtual machines. For more details and references you can see thespecific announcement.

Azure Backup

In this interesting article there is the procedure to monitor all workloads protected by Azure Backup using Log Analytics.

System Center

System Center Configuration Manager

Released the version 1806 for the Current Branch (CB) of System Center Configuration Manager that introduces new features and major improvements in the product.

Among the main innovations of this update there is a new feature called CMPivot. It is a new utility available in the Configuration Manager console that can provide information in real time about connected devices in your environment. On this information you can apply filters and groupings, then perform certain actions.

Figure 5 – Features and benefits of CMPivot functionality

For a complete list of new features introduced in this version of Configuration Manager, you can consult theofficial announcement.

 

Released the version 1808 for the branch Technical Preview of System Center Configuration Manager. This update introduces the ability to perform a gradual release of software updates automatically. The button that allows you to configure this operation is shown in figure below and can be found in the console nodes All Software Updates, All Windows 10 Updates, and Office 365 Updates.

Figure 6 – Phased Deployment creation button

For more information about configuring Phased Deployments in Configuration Manager, you can refer to the Microsoft technical documentation .

I remind you that the releases in the Technical Preview Branch allows you to evaluate in preview new SCCM functionality and is recommended to apply these updates only in test environments.

 

System Center Operations Manager

Released the updated version of Microsoft System Center 2016 Management Pack for Microsoft Azure (version 1.5.20.18).

There are also the following news:

 

Evaluation of OMS and System Center

Please remember that in order to test and evaluate for free Operations Management Suite (OMS) you can access this page and select the mode that is most appropriate for your needs.

To try out the various components of System Center you must access theEvaluation Center and after the registration you can start the trial period.

Azure Networking: introduction to the Hub-Spoke model

A network topology increasingly adopted by Microsoft Azure customers is the network topology defined Hub-Spoke. This article lists the main features of this network architecture, examines the most common use cases, and shows the main advantages that can are obtained thanks to this architecture.

The Hub-Spoke topology

In a Hub-Spoke network architecture, theHub is a virtual network on Azure that serves as the point of connectivity to the on-premises network. This connectivity can be done through VPN Site to site or through ExpressRoute. The Spoke are virtual networks running the peering with the Hub and can be used to isolate workloads.

The architecture basic scheme:

Figure 1 – Hub-Spoke basic network architecture

This architecture is also designed to position in the Hub network a network virtual appliance (NVA) to control the flow of network traffic in a centralized way.

Figure 2 - Possible architecture of Hub vNet in the presence of NVA

In this regard it should be noted that Microsoft recently announced the availability of the’Azure Firewall, a new managed service and fully integrated into the Microsoft public cloud, that allows you to secure the resources present on the Virtual Networks of Azure. At the moment the service is in preview, but soon it will be possible to assess the adoption of Azure Firewall to control centrally, through policy enforcement, network communication streams, all cross subscriptions and cross virtual networks. This service, in the presence of Hub-Spoke network architectures , lends itself to be placed in the Hub network, in order to obtain complete control of network traffic.

Figure 3 - Positioning Azure Firewall in the Hub Network

For additional details on Azure Firewall you can see Introduction to Azure Firewall.

When you can use the Hub-Spoke topology

The network architecture Hub-Spoke is typically used in scenarios where these characteristics are required in terms of connectivity:

  • In the presence of workloads deployed in different environments (development, testing and production) which require access to the shared services such as DNS, IDS, Active Directory Domain Services (AD DS). Shared services will be placed in the Hub virtual network, while the various environments (development, testing and production) will be deployed in Spoke networks to maintain a high level of insolation.
  • When certain workloads must not communicate with all other workloads, but only with shared services.
  • In the presence of reality that require a high level of control over aspects related to network security and needing to make a segregation of the network traffic.

Figure 4 – Hub-Spoke architecture design with its components

The advantages of the Hub-Spoke topology

The advantages of this Azure network topology can be summarized as:

  • Cost savings, because shared services can be centralized in one place and used by multiple workloads, such as the DNS server and any virtual appliances. It also reduces the VPN Gateways to provide connectivity to the on-premises environment, with a cost savings for Azure.
  • Granular separation of tasks between IT (SecOps, InfraOps) and workloads (Devops).
  • Greater flexibility in terms of management and security for the Azure environment.

Useful references for further reading

The following are the references to the Microsoft technical documentation useful to direct further investigation on this topic:

Conclusions

One of the first aspects to consider when you implement solutions in the cloud is the network architecture to be adopted. Establish from the beginning the most appropriate network topology allows you to have a winning strategy and avoid to be in the position of having to migrate workloads, to adopt different network architectures, with all the complications that ensue.

Each implementation requires a careful analysis in order to take into account all aspects and to make appropriate assessments. It is therefore not possible to assert that the Hub-Spoke network architecture is suitable for all scenarios, but certainly it introduces several benefits that make it effective for obtaining certain characteristics and have a high level of flexibility.